Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6b2417eeac6a435ce8ef52ec4b98082b.exe

  • Size

    292KB

  • Sample

    221104-x5hapsacd7

  • MD5

    6b2417eeac6a435ce8ef52ec4b98082b

  • SHA1

    46a459c36a345038af6cf8ebf2d9bfa4db1a8df0

  • SHA256

    9804e56a73b0af43b7b519da92467c63365bf8cdd27090e2b0641616b9992632

  • SHA512

    46a395a047075979cc36b3415750c9a837a3975d8b2ddaa86c0c870687e93427a91fcb9192f0caec06bf6724ee060a940272bb0dae185bf920f1fa6ab9616cb4

  • SSDEEP

    3072:31S1BIEjT02LyIk3u5rAy3zzStYfMoNwIYt2Y03P5emgbvQih/98KD:ABI92Le3q3itYfLJ9Y03P5emgT7/L

Malware Config

Extracted

Family

remcos

Botnet

v381

C2

srv01.airdns.org:32841

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    winupd381.exe

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • mouse_option

    false

  • mutex

    winupd_v381-K1NSYR

  • screenshot_crypt

    true

  • screenshot_flag

    false

  • screenshot_folder

    winupdc_sc

  • screenshot_time

    1

  • startup_value

    winupd381

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

remcos

Botnet

New

C2

173.212.217.108:1050

zab4ever.no-ip.org:1050

1zab4ever.no-ip.org:1050

1zab4ever.duckdns.org:1050

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    BrowseUpdt.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    nobita.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    khruioprs-T021C4

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    BrowseUpdt

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      6b2417eeac6a435ce8ef52ec4b98082b.exe

    • Size

      292KB

    • MD5

      6b2417eeac6a435ce8ef52ec4b98082b

    • SHA1

      46a459c36a345038af6cf8ebf2d9bfa4db1a8df0

    • SHA256

      9804e56a73b0af43b7b519da92467c63365bf8cdd27090e2b0641616b9992632

    • SHA512

      46a395a047075979cc36b3415750c9a837a3975d8b2ddaa86c0c870687e93427a91fcb9192f0caec06bf6724ee060a940272bb0dae185bf920f1fa6ab9616cb4

    • SSDEEP

      3072:31S1BIEjT02LyIk3u5rAy3zzStYfMoNwIYt2Y03P5emgbvQih/98KD:ABI92Le3q3itYfLJ9Y03P5emgT7/L

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks